[OpenAFS] tokens at login

lamont@scriptkiddie.org lamont@scriptkiddie.org
Wed, 27 Apr 2005 12:01:41 -0700 (PDT)

There's a bug in pam_krb5afs where its supposed to lookup the fileserver 
that /afs/<cellname> lives and find its realm (from the domain_realm 
mapping in krb5.conf) and then try afs/cellname@realm.  Under 1.3.x when 
it calls the PFindVolume pioctl it only passes in a 4 byte long iob.out in 
minikafs_realm_of_cell_with_ctx() that causes a bounds checking violation 
in the pioctl code.  That error message is from this pioctl call.  Prior 
to that in 1.2.x, PFindVolume would truncate the result and return the 
first IP address of the first fileserver that served the volume.  Under 
1.3.x pam_krb5afs needs to pass in space for 13 IP addresses into iob.out, 
even though it only needs the first one:

#define   MAXHOSTS        13      /* max hosts per single volume */

I don't have a particularly clean patch to fix that problem, but I've 
mentioned it to the pam_krb5afs maintainer.

This is only part of the algorithm to find the correct realm and 
credential which is failing, you might be able to work around it without 
patching the code.

On Thu, 7 Apr 2005, Dj Merrill wrote:
> 	In the logs I get:
> Apr  7 11:14:08 galactica sshd[9019]: pam_krb5[9019]: got error -1 (Unknown 
> code ____ 255) while obtaining tokens for mytest.dartmouth.edu